In the same way that Amazon Web Services changed the way computing infrastructure is delivered so too is LimaCharlie for information security. Our approach is to provide the tools and infrastructure needed to run information security operations in a way that suits an organization's needs when needed.
The LimaCharlie global infrastructure is built on the Google Cloud Platform (GCP) and currently has computing resources available in the USA, Canada, Europe, India and the United Kingdom. Choosing a geographical location ensures data will always be processed in this location and never moved outside. New data centres can be spun up anywhere GCP is available upon customer request.
Secure & Scalable
Data access is managed through Google Cloud IAM which is used to isolate various components and customer data. Processing is done in Google Kubernetes Engine which provides an additional layer of container isolation.
Each LimaCharlie data center uses independent cryptographic keys at all layers. Key management uses industry best practices such as key encryption at rest.
LimaCharlie data is secured starting at the endpoint all the way to your infrastructure.
Endpoint Detection & Response
At its core LimaCharlie is a drop-in endpoint capability. With the agent deployed users can use the public API, or web application, to perform detection and response while directing telemetry into existing pipelines and/or data storage.
The agent is cross-platform and allows for direct access to the endpoint where commands can be executed. LimaCharlie runs on all major operating systems across x86, ARM and MIPS architectures.
The total footprint of the agent on disk and in memory is approximately 2MB. The agent typically runs under 1% CPU with small spikes around certain events and usually uses less than 50MB of RAM.
Detection & Response Rules
LimaCharlie has a customizable Detection & Response rules engine. The Detection component is a scriptable rule system that can be chained with multiple conditions that will match certain events. When the Detection component matches the Response component is actioned. Responses are actioned in real-time by the sensor via a secure semi-persistent TLS connection. The Detection & Response engine automates your ability to investigate, mitigate or apply tags and more using serverless functions. Roundtrip time from detection until the response action is typically under 100ms.
The well documented Detection and Response engine consumes instructions using the YAML format. Examples of how this engine works, along with documentation, can be found here.
The LimaCharlie endpoint produces telemetry in well documented JSON that can be output wherever you want. LimaCharlie has modules supporting Slack, Google Cloud Storage, S3, SFTP, Syslog, SMTP and SCP. Out of the box we provide you with a quickstart script to get a Splunk instance setup to receive data in minutes.
You can have as many Output modules active as you want and adjust the verbosity of the telemetry (event, detect and audit levels). This means you can stream to two different syslog destinations using the Syslog Output module and then send the same data to cold storage over an Scp Output module.
Documentation on setting up output connections can be found here
Logs are critical in information security but the amount of data they generate is huge and existing solutions for managing them are expensive. LimaCharlie can now automatically collect and store logs with no configuration, without installing another agent, for a full year. And yes, you can even send logs to LimaCharlie manually.
LimaCharlie can consume logs from any OS. Logs can be unstructured (no parsers necessary) and we even support pcap and Windows logs.
The LimaCharlie agent is able to report a wide variety of telemetry in the form of events from the endpoint. There are currently 54 different events that can be reported which produces a lot of data and we think you should keep it all for a year. At the click of a button LimaCharlie users can enable long term telemetry storage across their entire fleet.
Telemetry and logs stored with LimaCharlie are indexed and can be searched in a number of way. From within the web application, or through the API, users can search an organization for an IP, file path, hash or user name will bring back stats around the prevalence of the given datapoint.: where when and how often it has been observed. Users are also able to drill down to the raw telemetry for events of interest.
Using the command line interface (CLI) for LimaCharlie users can search for indicators of compromise (IOC) across multiple organizations. The new CLI command supports multiple arguments and the output is written human-readable to stdout or to a file as YAML. The following man page outlines all available options and provides an example.
Through the web application, LimaCharlie provides an interface where users can explore prevalence and timing for domains, IP addresses, files, file paths, hashes and user names across their entire fleet for up to a year’s worth of data. This console also allows users to search for a given sensor ID and deep dive all of the aforementioned data points for a single endpoint over the given time period.
When searched, an indicator of compromise will show up in the graph along with information relating to when it was observed, how often and across how many endpoints. Users can then click on any given graph node to get more information and start to drill down.
LimaCharlie is able to perform retroactive hunting on up to a year’s worth of log and telemetry data. This ability to retroactively apply Detection & Response rules to historical data is extremely powerful and through the use of the API can be used to build Continuous Delivery (CD) / Continuous Integration (CI) into detection systems.
This ability enables you to look for specific indicators of compromise and run complete D&R rules, including threat feeds, APIs or operators against historical telemetry.
Replicants can be thought of as digital automatons: expert driven algorithms which utilize some basic artificial intelligence perform tasks normally carried out by human analysts.
Each replicant has a particular specialization. The YARA Replicant automates all aspects of YARA scanning. The Responder Replicant performs an in-depth sweep through the state of a host and highlights any activity that is suspicious. The Integrity Replicant automates File and Registry integrity monitoring. The Logging Replicant automates the ingestion of log files from host into LimaCharlie’s long term storage and the Replay Replicant automates threat hunting across historical data. More capability will continue to be added to the Replicant group.
The LimaCharlie web application is built using a templating system that allows for it to be white labeled for customers operating a certain scale. Resellers of LimaCharlie are able to utilizie the white label version of the web application combined with advanced role-based access control to offer branded customer facing solutions.